With the recent Colonial Pipeline hack that took down one of the largest US pipelines and led to widespread fuel shortages, discussions and regulation about cybersecurity are at the forefront of both government and business executives' agendas.

In this monumental hack via a long-idle account, the attackers gained access to the networks of Colonial Pipeline through a VPN, or virtual private network, that enabled employees to access the company’s network remotely. This VPN hack ultimately resulted in the company paying a ransom of 75 bitcoin, or roughly $4.4M USD at the time of the hack. 

Although the ransom was partially recovered by the FBI, there are many takeaways that we can glean from the largest cybersecurity attack on an oil target in US history. In this guide, we’ll discuss how VPN accounts can present a threat through “lateral movement”, and how Zero Trust security can improve cybersecurity for businesses and governments alike.

What is Lateral Movement?

Lateral movement refers to the ability of a user or hacker to navigate and move throughout a network once they have gained some form of initial authorization. In traditional cybersecurity, the network may be characterized as a “castle with a moat”, meaning it has strong defence against unauthorized individuals, but users can move freely once they have been authorized to enter.

Lateral movement refers to a user gaining access to one application, and then moving within the network to access other resources or servers within the same network. As discussed in Ericom’s article on improving cybersecurity by preventing lateral movement, lateral movement is a concern because malicious actors that gain legitimate access to a single entry point may then have nearly unfettered access to the entire network.

In the case of the Colonial attack, the password of the hacked VPN account was found to be leaked on the dark web. Although the technical details of the hack beyond the VPN access are still unclear, it’s likely that preventing lateral movement with Zero Trust security may have prevented or at least minimized the scale of this unprecedented attack.  

Preventing Lateral Movement with Zero Trust Security

Zero Trust security is a revolutionary approach to cybersecurity that prevents lateral movement as part of its core philosophy. In particular, it assumes that all users are malicious and rejects the notion that users should have free access to an entire network once they’ve been authorized to access a specific resource. In keeping with the assumption that every user may represent a threat, Zero Trust eliminates or drastically reduces the ability for authorized users to move laterally once they are within the network.

Preventing unauthorized lateral movement altogether is ideal, although there should also be additional measures in place to identify and block bad actors that somehow succeed in moving within a network. Here are several ways to improve cybersecurity and prevent lateral movement:

• Minimize privileged account use: Privileged accounts with administrative access pose a risk as they typically enable free movement throughout the entire network. In order to minimize the risk of these accounts being hacked, they should only be used if extra privileges are required for a task. Otherwise, system administrators should use standard logins to prevent lateral movement. 

• Zero Trust Network Access (ZTNA): ZTNA can also prevent lateral movement by enforcing the principle of “least privileged access” in which users can only access data and resources required for the tasks for which they are responsible. If login credentials do end up getting hacked, this principle ensures that the hacker only has access to the resources the user was authorized for.

• Microsegmentation: Whereas ZTNA limits what users have access to, microsegmentation creates barriers within the network itself to limit lateral movements between components. This  segmented can be down to the individual workload—for example, Ericom Application Isolator automates assignment of access privileges at the individual level and prevents users from even seeing apps they are not authorized to access.

• Context-based access control: Finally, context-based access control goes beyond ZTNA in that it is implemented in a way that is context-sensitive. This means users only have access to certain apps or devices if they are authorized at the point in time they are trying to use them, or from a location that the system recognizes as a site where the user generally works.

With these more granular access controls, adopting Zero Trust principles means that even if attackers gain access to a network they can’t move laterally and breach the entire system or spread malware or ransomware throughout. 

In many ways, these strategies are as much about minimizing the damage of an attack as about preventing it altogether. For example, as described in Eircom's guide to microsegmentation:

With microsegmentation, attack surfaces are reduced to a minimum, and unauthorized lateral movement within the data center or to other resources is prevented.

Summary: Zero Trust and the Colonial Pipeline Hack

As businesses and governments alike become increasingly dependent on billions of interconnected devices, which together comprise the infrastructure of modern life, cybersecurity has become more important than ever. As cybercrime also continues to grow in sophistication, older paradigms for protection have become inadequate for modern day security. As companies transition to hybrid, cloud and multi-cloud systems, these threats become more and more prevalent.

In order to protect against threats and minimize the damage of attacks like the Colonial Pipeline, adopting a Zero Trust approach to network security has become essential. In summary, through minimizing lateral movement within a network with restrictions such as microsegmentation, a Zero Trust approach can largely prevent or reduce the damage even from attackers who succeed in gaining access to an enterprise network.

Gerry Grealish, Chief Marketing Officer at Ericom Software